Security News > 2022 > October > US Govt: Hackers stole data from US defense org using new malware

The U.S. Government today released an alert about state-backed hackers using a custom 'CovalentStealer' malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base sector.
The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan, and well over a dozen ChinaChopper webshell samples.
CVE-2021-26855 is a server-side request forgery vulnerability in Exchange that allows sending arbitrary HTTP requests and authenticating as the Exchange server.
While the initial access vector is unknown, the current advisory notes that the hackers gained access to the organization's Exchange Server in mid-January 2022.
"These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2hedebug directory" - joint report from CISA, FBI, and NSA. At the beginning of March, the hackers exploited the ProxyLogon vulnerabilities to install no less than 17 China Chopper webshells on the Exchange Server.
CISA shares technical details for the HyperBro RAT in distinct report, saying that the capabilities of the malware include uploading and downloading files to and from the system, logging keystrokes, executing commands on the infected host, and bypassing User Account Control protection to run with full admin privileges.
News URL
Related news
- Chinese hackers use custom malware to spy on US telecom networks (source)
- Suspected NATO, UN, US Army hacker arrested in Spain (source)
- Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- US defense contractor cops to sloppy security, settles after infosec lead blows whistle (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-03-03 | CVE-2021-26855 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |